HIGH🇵🇱 Wersja polska

CVE-2020-5206

CVSS 8.7v3.1pub. 2020-01-30upd. 2024-11-21

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
  • Apereo Opencast

    APP
    Apereo
    8.0< 7.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2021-43821CRITICAL9.9ten sam produkt

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 1...

CVE-2018-16153HIGH7.5ten sam produkt

An issue was discovered in Apereo Opencast 4.x through 10.x before 10.6. It sends system digest credentials du...

CVE-2021-43807HIGH7.5ten sam produkt

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 a...

CVE-2021-32623HIGH8.1ten sam produkt

Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast...

CVE-2020-5230HIGH7.7ten sam produkt

Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. Th...